Hi, Is there an easier way to update my signed zonefiles than having to do ldns-keygen -a RSASHA1_NSEC3 -b 1024 <domain> && ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k <domain> && ldns-signzone <domain> <zone signing key> <key signing key> over and over? My setup is here: https://gist.github.com/kakekake89/5945810 Would appreciate general improvement advice as well. Just switched over from BIND, couldn't be happier. O.D.
Hi, On 07/08/2013 04:32 AM, opendaddy at hushmail.com wrote:> Hi, > > Is there an easier way to update my signed zonefiles than having to do ldns-keygen -a RSASHA1_NSEC3 -b 1024 <domain> && ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k <domain> && ldns-signzone <domain> <zone signing key> <key signing key> over and over?Not in NSD, it does support in-line signing. So you need something else to do the signing for you. You might be interested in OpenDNSSEC to the the DNSSEC stuff for you: http://www.opendnssec.org/ Best regards, Matthijs> > My setup is here: https://gist.github.com/kakekake89/5945810 > > Would appreciate general improvement advice as well. Just switched over from BIND, couldn't be happier. > > O.D. > > _______________________________________________ > nsd-users mailing list > nsd-users at NLnetLabs.nl > http://open.nlnetlabs.nl/mailman/listinfo/nsd-users >
> Is there an easier way to update my signed zonefiles than having to do > ldns-keygen -a RSASHA1_NSEC3 -b 1024 <domain> && ldns-keygen -a > RSASHA1_NSEC3 -b 2048 -k <domain> && ldns-signzone <domain> <zone > signing key> <key signing key> over and over?If you invoke `ldns-keygen` every time you change a zone file, you are generating NEW keys at each run. I very much doubt you really want that, as you'd have to submit your DS RRset to the parent zone each time! -JP